JS can jump both sandboxes and VMs. And it only takes one rogue/hacked website to do it. You can't trust JS. Ever. You never know what is being sent to your browser.

Even "trusted" websites become untrusted when your connection has been intercepted. And not just nation states can intercept your connection. Hotel WiFi is notorious for breaking TLS. Many large buildings have their own connection infrastructure. Many offices, businesses, universities and schools will connect you in their own way. And it only takes one bad node in any of the chain of boxes and now your computer has become part of a botnet.

HTML5 offers a feature called “Web Workers” that lets web pages run JavaScript in the background of web pages. Those scripts have nothing to do with the user interface and can be invisible to users, other than the fact they consume some processor cycles.

The Register has used Web Workers to create a distributed bitcoin mining operation.

Yay, let's allow all websites to steal our CPU cycles. Because of course doing work for remote websites is much more important than anything you might be doing.

The LED is controlled by software though. Sometimes there is a delay before it comes on. Perhaps the camera can be activated briefly to capture an image and deactivated again while the LED remains dark?

In any case, to test my theory I opened Chrome Developer Tools to throttle my network connection to the slowest option available and to disable JavaScript. I navigated to an article on my site and it loaded in three seconds. I tried to use Google search and it was blazing fast, BUT I didn’t see any AMP links. Of course not, AMP links only show up when JavaScript is enabled.

I’ve re-enabled the JavaScript (while keeping the network speed slow) and tried to search for some AMP content. It took over 10 seconds just to load the news carousel.

As far as I am concerned, static content (without JavaScript) is still the king.

Although that link doesn't work without JS, but the text be extracted from the source.

Quote:

If you’re daydreaming about buying a home or need to lower the payment on the one you already have, you might pay a visit to the Quicken Loans mortgage calculator. You’ll be asked a quick succession of questions that reveal how much cash you have on hand or how much your home is worth and how close you are to paying it off. Then Quicken will tell you how much you’d owe per month if you got a loan from them and asks for your name, email address, and phone number.

You might fill in the contact form, but then have second thoughts. Do you really want to tell this company how much you’re worth or how in debt you are? You change your mind and close the page before clicking the Submit button and agreeing to Quicken’s privacy policy.

But it’s too late. Your email address and phone number have already been sent to a server at "murdoog.com," which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the "Submit" button.

During a recent investigation into how a drug-trial recruitment company called Acurian Health tracks down people who look online for information about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page. (It’s yet another way auto-fill can compromise your privacy.)

NaviStone is an Ohio-based startup in the business of identifying "ready to engage" customers and matching "previously anonymous website visitors to postal names and addresses." It says it can send postcards to the homes of anonymous website shoppers within a day or two of their visit, and that it’s capable of matching "60-70% of your anonymous site traffic to Postal names and addresses."

Yes, you guessed it, no JS means none of those underhanded things will work.

WTF how is that even legal? I can understand logging IP addresses, but seriously home addresses and such? There is a reason this data falls under Privacy Policy. The fact they send it before even agreeing to the privacy policy should be illegal.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou can attach files in this forumYou can download files in this forum